University of Toronto Logo

Information + Technology Services

Small normal big

Divisional Risk Assessment

The purpose of a Divisional Risk Assessment carried out by ISEA is to provide a high-level qualitative and quantitative review of the people, processes and technology and the handling of confidential information to determine the current risk posture within a division. The assessment  is not a comprehensive evaluation, but it does identify the high-level risks and provide guidance on the prioritization and remediation of these risks, to help the division reduce its risk posture to an acceptable level.

Approach

A Divisional Risk Assessment will be based on the six-phased approach adopted in other successfully completed assessments:

Survey > Inventory > Connect > Classify > Analyze > Assess

 

Scope

The following will be out of scope.

  • Financial Controls
  • Physical Security Controls

 

Interviewees

The process starts with a series of interviews of key people, such as those in the following or similar positions, or someone they designate:

  • Chief Administrative Officer
  • IT Manager
  • IT Staff
  • Technology support
  • Academic Leadership, as needed
  • Administrative staff, as needed
  • External suppliers of services (firewall, backups, classroom management)

In general, all interviews will take place with the IT manager present.

Process

In more detail, these are the steps planned for a Divisional Risk Assessment.

Survey

The survey step is the scoping exercise. In this step we want to identify:

  • Internal departments
  • IT systems / services / processes
  • Broad usages
  • Division-wide governance / compliance requirements (such as FIPPA and divisional specific requirements (external and internal))
  • Key sources of data
  • Any existing data, such as system analyses by ISEA, to inform this process

The survey will provide an organization chart on which to overlay major information systems / data repositories, data flows and academic/administrative processes, and provide a high level view of controls / risk management processes.

Inventory (Asset / Process)

In this step we confirm and amplify responses from the above Survey step by identifying components (data, actors, and constraints):

  • Data repositories / systems (locations, ownership, custodianship and support for business functions / objectives)
  • Departments / groups / roles
  • Governance / compliance requirements (legislation, regulations, and contractual obligations)

Connect

Based on the above Inventory, in this step we identify links – formal and informal – that connect

  • Data / process / procedure interactions (data flows)
  • External data sources / destinations (integration with University systems) – upstream and downstream dependencies
  • Internal / external services

Classify data

In this step we will create data classifications based on:

  • Impact of disclosure, alteration, loss and compromise (lack of accountability)
  • Point of origin for / destination of data

Classifications are in the context of governance / compliance requirements and organizational objectives (builds on data collected in the Inventory phase).

Analyze the situation

We will provide an understanding of environment controls as they relate to the connections identified in the Connect step in context of the following:

  • Identity Management
  • Access and Change controls
  • Encryption and Network Isolation
  • Service Continuity
  • Monitoring and Reporting
  • Risk Analysis
  • Architectural Alignment
  • Data Governance Compliance

Assess the Risks

In this step we will perform Risk and Strategic Integration Assessments comparing the controls or lack thereof from the Analysis step to requirements to protect the data as prioritized through the classification step, thereby assessing the risk exposure of the division.

Deliverables

Our deliverable will be a report and a spreadsheet that will contain all of the above work, highlight and provide suggested remediation for the following concerns, if any:

  1. Groups and / or data outside of identified compliance requirements (This indicates an absence of governance, or lack of control)
  2. Groups and / or data without access /change / reporting controls (This is a technical assessment indicating risk exposure. E.g. the possibility of data / system misuse resulting in a business impact.)
  3. Gaps in data flow connections. (An example would be repositories of data with no connections. Identification allows operational architecture optimization.)
  4. Gaps in provision of Information services. (An example would be a technologist to aid lecture capture)
  5. Identification of duplication of data repositories and services. (An example would be people collecting the same data in different places, or use of multiple applications for similar services. Identification allows operational architecture optimization)
  6. Self-provision of centrally available services. (Identification of services that are currently available from the center that the division is not currently availing themselves of. The division could then choose to leverage these core services in order to free time for local resources to contribute to unit-differentiating activities).

Timelines

A divisional risk analysis will take up to three months to complete, and is dependent on the availability of personnel within the division as well as those within ISEA.